I recently read a Gabriel Consulting Group survey entitled 2011 Data Center Security Survey: Virtualization & Clouds. One statistic that really struck me was that approximately 65 percent of the respondents said that they were going to use “the same security mechanisms for physical and virtual systems.” This is an amazing statistic since most security solutions are not optimized for both virtualized and physical environments.
Let’s look at a couple of examples: In the physical world an IPS or firewall sits in-line with the network traffic and it can block malicious or inappropriate traffic. However, if you park one of these devices in front of a virtualized server it will never see the intra-VM traffic. So, if multiple Virtual Machines (VM) are communicating with each other (within the same physical server) the IPS or firewall will never see that virtualized network traffic. Now, let’s assume that one of those VMs contains credit card data. PCI DSS 11.4 says that you must use an IDS/IPS to monitor all traffic in the cardholder data environment. It seems to me that your traditional security, which relies on ports, protocols and IP addresses, isn’t going to keep you compliant. And, that brings me to my second point. In the virtual world VMs migrate to other physical machines for load balancing. How is that physical security device, which is rooted by IP addresses, going to migrate with your VM?
Fortunately, McAfee has many security solutions that work in both physical and virtual environments. They will not only keep you compliant but they will allow you to have a consistent security policy across both environments. And, those policies are all managed from one management console.
By: Stephen Karkula
Monday, October 31, 2011
Friday, October 28, 2011
Technology News Roundup
First up this week in the news – kids and “screen time”.
A study by the American Academy of Pediatrics says kids under two should not be watching television or even be in the room when you are watching. That means no Netflix or Hulu on the iPad or PC either! I remember when my oldest was an infant, he would start to cry if I was upset watching my soaps. I stopped watching because I knew he was reacting to the subtlest of mood changes. What are your thoughts?
I saw this post from McAfee Labs about an Android virus that is being spread via QR code. QR Codes are those images that are popping up in magazines and in stores. You scan the image with the camera built into your smartphone and it opens up a webpage with content about that item or store.
I have been using QR codes that I find in magazines and I had no idea that QR codes could link to malware. This particular virus sends text messages from your phone to a premium number that charges users. The solution to this is to use a QR scanner that previews the code before it brings you to the site. See this post by Jimmy Shah with McAfee Labs to get suggestions for QR scanner apps for both Android and iPhone and some tips to keep your phone and phone bill safe.
Netflix lost 800,000 customers since they made all of their changes to the service. I have not left Netflix and I still stream movies online and get disks in the mail, but I am disappointed in the selections since new movies have a delay in being available. If you are/were a customer, what did you do with the changes? Is there a service you like better?
My kids stream movies often and I realized that my cyber son #2 has hit that age where he is old enough to figure out how to stream what he wants to, but I still want to filter some of the selections. He was telling me about a movie he wanted to watch on Netflix which just sounded inappropriate, gross and well, I just don’t want him to watch it! I can block it using McAfee Family Protection on my PC and devices. We can also block it on our gaming console using the parental controls.
But what if he goes to a friend’s house? I had to explain to him why I didn’t think he should watch it and give good reasons – the content was not something that I would want to watch, it was violent, it was demeaning to women and once you see that type of content it is hard to get it out of your head. After my discussion with him, I have to let go and trust him.
I hope you all have a great week!
Stay safe out there!
By: Tracey Mooney
A study by the American Academy of Pediatrics says kids under two should not be watching television or even be in the room when you are watching. That means no Netflix or Hulu on the iPad or PC either! I remember when my oldest was an infant, he would start to cry if I was upset watching my soaps. I stopped watching because I knew he was reacting to the subtlest of mood changes. What are your thoughts?
I saw this post from McAfee Labs about an Android virus that is being spread via QR code. QR Codes are those images that are popping up in magazines and in stores. You scan the image with the camera built into your smartphone and it opens up a webpage with content about that item or store.
I have been using QR codes that I find in magazines and I had no idea that QR codes could link to malware. This particular virus sends text messages from your phone to a premium number that charges users. The solution to this is to use a QR scanner that previews the code before it brings you to the site. See this post by Jimmy Shah with McAfee Labs to get suggestions for QR scanner apps for both Android and iPhone and some tips to keep your phone and phone bill safe.
Netflix lost 800,000 customers since they made all of their changes to the service. I have not left Netflix and I still stream movies online and get disks in the mail, but I am disappointed in the selections since new movies have a delay in being available. If you are/were a customer, what did you do with the changes? Is there a service you like better?
My kids stream movies often and I realized that my cyber son #2 has hit that age where he is old enough to figure out how to stream what he wants to, but I still want to filter some of the selections. He was telling me about a movie he wanted to watch on Netflix which just sounded inappropriate, gross and well, I just don’t want him to watch it! I can block it using McAfee Family Protection on my PC and devices. We can also block it on our gaming console using the parental controls.
But what if he goes to a friend’s house? I had to explain to him why I didn’t think he should watch it and give good reasons – the content was not something that I would want to watch, it was violent, it was demeaning to women and once you see that type of content it is hard to get it out of your head. After my discussion with him, I have to let go and trust him.
I hope you all have a great week!
Stay safe out there!
By: Tracey Mooney
Thursday, October 27, 2011
Securing Mobile Data at the Application Layer
Most mobile device applications have serious security vulnerabilities. These flaws include the storage and transmission of unencrypted data, poor session handling, and data leakage. McAfee addresses many of the management and compliance challenges through its Mobile Security Strategy.
The Open Web Application Security Project (OWASP) Mobile Security Project focuses on the security of the applications that enrich the mobile device user experience. According to its contributors, it “is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.”
Following in the theme on the OWASP Top 10 web application risks, the project focuses on the top ten mobile risks. This series will launch with a discussion of risk number one – Insecure Data Storage. The controls recommend to mitigate these risks include encryption, data classification, session management, and data leakage. Gartner’s analysis of upcoming mobile application trends highlights the need for a rigorous Secure Software Development Lifecycle (SSDLC). These include financial, location-based services, and mobile health monitoring.
Data Classification
OWASP recommends that processing, storage and transmission of data should be consistent with its classification. Developers should consider data sensitivity when creating data models from which information will be queried and processed. They should also communicate with business stakeholders to identify the stages where data classification changes. The University of Florida has composed a mobile device data classification policy covering OWASP’s recommendations.
Access Control
The increased usage of mobile devices to access financial content, such as online banking and credit card management sites, makes a compelling case for strong access controls. According to a study performed by Stephen Perlson and Reinhardt Botha, there are three key security services that developers should address.
- Authentication – the application must confirm the claimed identity.
- Confidentiality – the application does not disclose information erroneously. OWASP advises that applications be programmed to collect and disclose only the data that is required for business use.
- Integrity – the application attempts to mitigate the risk of data corruption.
Encryption
Consider the data exposed to the applications on your smart phone; information on your contacts, credentials to email accounts, and possibly credentials to financial sites, just to name a few. A survey of 100 consumer mobile applications conducted by ViaForensics found that 76% of apps stored unencrypted user credentials. The survey also found that private data could be recovered from 60% of these applications. The risk of credential sniffing or session hijacking is enhanced for those users who retain active sessions with a website.
OWASP recommends that data stored or transmitted from the mobile device be encrypted. The choice of encryption solution will vary depending on the enterprise requirements. In any case, developers should design code that does not store/cache sensitive unencrypted data. All sensitive data should be transmitted to a server via a secure network connection and deleted from the mobile device. Sensitive data should be stored in an encrypted form if network connectivity is unavailable.
Data Purging
Data retention extends beyond its familiar consideration in the handling of data outside of software applications. OWASP warns that applications retaining data beyond the period required for processing increases the chance of data leakage. It advises that developers destroy sensitive data such as GPS coordinates or financial data once an application utilizes it. Additionally, all data that exceeds a specified retention period should be deleted.
The Kill Switch
According to a study by the Department of Health and Human Services, over 116 cases of mobile device loss or theft led to the exposure of at least 500 patient records between September 2009 and May 2011. This is but one case where applications lacked access to the common API that allows the deletion of data or disabling of the device remotely. OWASP recommends that this API is accessible by all applications that store or process data on the device.
The next installment in this series will discuss the management of user credentials on mobile devices. Some of the controls will include the use of authorization tokens and the limitations on SMS as a communication channel. This installment will also cite the common tools used to exploit poorly secured mobile devices.
By: Steven Fox
The Open Web Application Security Project (OWASP) Mobile Security Project focuses on the security of the applications that enrich the mobile device user experience. According to its contributors, it “is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.”
Following in the theme on the OWASP Top 10 web application risks, the project focuses on the top ten mobile risks. This series will launch with a discussion of risk number one – Insecure Data Storage. The controls recommend to mitigate these risks include encryption, data classification, session management, and data leakage. Gartner’s analysis of upcoming mobile application trends highlights the need for a rigorous Secure Software Development Lifecycle (SSDLC). These include financial, location-based services, and mobile health monitoring.
Data Classification
OWASP recommends that processing, storage and transmission of data should be consistent with its classification. Developers should consider data sensitivity when creating data models from which information will be queried and processed. They should also communicate with business stakeholders to identify the stages where data classification changes. The University of Florida has composed a mobile device data classification policy covering OWASP’s recommendations.
Access Control
The increased usage of mobile devices to access financial content, such as online banking and credit card management sites, makes a compelling case for strong access controls. According to a study performed by Stephen Perlson and Reinhardt Botha, there are three key security services that developers should address.
- Authentication – the application must confirm the claimed identity.
- Confidentiality – the application does not disclose information erroneously. OWASP advises that applications be programmed to collect and disclose only the data that is required for business use.
- Integrity – the application attempts to mitigate the risk of data corruption.
Encryption
Consider the data exposed to the applications on your smart phone; information on your contacts, credentials to email accounts, and possibly credentials to financial sites, just to name a few. A survey of 100 consumer mobile applications conducted by ViaForensics found that 76% of apps stored unencrypted user credentials. The survey also found that private data could be recovered from 60% of these applications. The risk of credential sniffing or session hijacking is enhanced for those users who retain active sessions with a website.
OWASP recommends that data stored or transmitted from the mobile device be encrypted. The choice of encryption solution will vary depending on the enterprise requirements. In any case, developers should design code that does not store/cache sensitive unencrypted data. All sensitive data should be transmitted to a server via a secure network connection and deleted from the mobile device. Sensitive data should be stored in an encrypted form if network connectivity is unavailable.
Data Purging
Data retention extends beyond its familiar consideration in the handling of data outside of software applications. OWASP warns that applications retaining data beyond the period required for processing increases the chance of data leakage. It advises that developers destroy sensitive data such as GPS coordinates or financial data once an application utilizes it. Additionally, all data that exceeds a specified retention period should be deleted.
The Kill Switch
According to a study by the Department of Health and Human Services, over 116 cases of mobile device loss or theft led to the exposure of at least 500 patient records between September 2009 and May 2011. This is but one case where applications lacked access to the common API that allows the deletion of data or disabling of the device remotely. OWASP recommends that this API is accessible by all applications that store or process data on the device.
The next installment in this series will discuss the management of user credentials on mobile devices. Some of the controls will include the use of authorization tokens and the limitations on SMS as a communication channel. This installment will also cite the common tools used to exploit poorly secured mobile devices.
By: Steven Fox
Wednesday, October 26, 2011
Phishers Continue Celebrity Promotion with Selena Gomez and Demi Lovato
Co-author: Avdhoot Patil
Celebrity promotion has gained momentum in the world of phishing. In October 2011, we observed Indonesian rock star Ahmad Dhani was being used as phishing bait and phishers continue their stream of celebrity bait with popular singers Selena Gomez and Demi Lovato. Celebrities with a large fan following are phishers’ favorites (because they believe a larger audience will mean more duped users).
In today's example, phishers created phishing sites that spoofed the login pages of a popular information services website. The phishing pages contained a picture of the singer and the page altered to give the impression that users could gain access to additional content about the celebrity after entering their own login credentials. It should be noted good websites will never alter the format of their login page for celebrity promotions. After the login credentials are entered into the phishing site, users are directed to a page providing various options to the user. These options include chatting with the singers, visiting their official community page, watching videos, seeing images of them in popular search engines, and so on. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their confidential information for identity theft purposes.
The phishing sites were in written in French and phishers utilized domains which were typosquats of the names Selena and Demi. The country code top level domain (ccTLD) of these domains were from Tokelau (a territory in New Zealand).
Internet users are advised to follow best practices to avoid phishing attacks:
Celebrity promotion has gained momentum in the world of phishing. In October 2011, we observed Indonesian rock star Ahmad Dhani was being used as phishing bait and phishers continue their stream of celebrity bait with popular singers Selena Gomez and Demi Lovato. Celebrities with a large fan following are phishers’ favorites (because they believe a larger audience will mean more duped users).
In today's example, phishers created phishing sites that spoofed the login pages of a popular information services website. The phishing pages contained a picture of the singer and the page altered to give the impression that users could gain access to additional content about the celebrity after entering their own login credentials. It should be noted good websites will never alter the format of their login page for celebrity promotions. After the login credentials are entered into the phishing site, users are directed to a page providing various options to the user. These options include chatting with the singers, visiting their official community page, watching videos, seeing images of them in popular search engines, and so on. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their confidential information for identity theft purposes.
The phishing sites were in written in French and phishers utilized domains which were typosquats of the names Selena and Demi. The country code top level domain (ccTLD) of these domains were from Tokelau (a territory in New Zealand).
Internet users are advised to follow best practices to avoid phishing attacks:
- Do not click on suspicious links in email messages.
- Avoid providing any personal information when answering an email.
- Never enter personal information in a pop-up page or screen.
- When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
- Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.
Tuesday, October 25, 2011
W32.Duqu: The Precursor to the Next Stuxnet
On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat "Duqu" [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.
Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.
The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.
One of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on October 14, 2011.
Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.
The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.
Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.
You can find additional details in our paper here. The research lab that originally found the sample has allowed us to share their initial report as an appendix. We expect to make further updates over the coming days.
Key points:
• Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
• The executables are designed to capture information such as keystrokes and system information.
• Current analysis shows no code related to industrial control systems, exploits, or self-replication.
• The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
• The exfiltrated data may be used to enable a future Stuxnet-like attack.
Note: At press time we have recovered additional variants from an additional organization in Europe with a compilation time of October 17, 2011. These variants have not yet been analyzed. More information will follow.
Update [October 18, 2011] - Symantec has known that some of the malware files associated with the W32.Duqu threat were signed with private keys associated with a code signing certificate issued to a Symantec customer. Symantec revoked the customer certificate in question on October 14, 2011. Our investigation into the key’s usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware. At no time were Symantec’s roots and intermediate CAs at risk, nor were there any issues with any CA, intermediate, or other VeriSign or Thawte brands of certificates. Our investigation shows zero evidence of any risk to our systems; we used the correct processes to authenticate and issue the certificate in question to a legitimate customer in Taiwan.
Update [October 19, 2011] - Updated link to paper. Also, our authentication team has written a blog on their investigation into the private key usage by Duqu.
By: Symantec Security Response
Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.
The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.
One of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on October 14, 2011.
Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.
The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.
Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.
You can find additional details in our paper here. The research lab that originally found the sample has allowed us to share their initial report as an appendix. We expect to make further updates over the coming days.
Key points:
• Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
• The executables are designed to capture information such as keystrokes and system information.
• Current analysis shows no code related to industrial control systems, exploits, or self-replication.
• The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
• The exfiltrated data may be used to enable a future Stuxnet-like attack.
Note: At press time we have recovered additional variants from an additional organization in Europe with a compilation time of October 17, 2011. These variants have not yet been analyzed. More information will follow.
Update [October 18, 2011] - Symantec has known that some of the malware files associated with the W32.Duqu threat were signed with private keys associated with a code signing certificate issued to a Symantec customer. Symantec revoked the customer certificate in question on October 14, 2011. Our investigation into the key’s usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware. At no time were Symantec’s roots and intermediate CAs at risk, nor were there any issues with any CA, intermediate, or other VeriSign or Thawte brands of certificates. Our investigation shows zero evidence of any risk to our systems; we used the correct processes to authenticate and issue the certificate in question to a legitimate customer in Taiwan.
Update [October 19, 2011] - Updated link to paper. Also, our authentication team has written a blog on their investigation into the private key usage by Duqu.
By: Symantec Security Response
Monday, October 24, 2011
A Transformational Gathering of IT Leaders
I am now back in the office after 2.5 days in a room with 100+ IT leaders, collectively tackling the single most difficult challenge in IT today: how do you transform an IT organization to be more strategically relevant to the business it serves?
The event itself -- the EMC IT Leadership Council -- was the first of its kind for us. Personally, I see it as a huge success on multiple levels.
While no one will claim that we came up with The Perfect Answer, we shared an amazingly comprehensive foundation of transformational perspectives and examples. No matter where you might be in your IT transformational journey, there were powerful and experiences to share.
Fair warning: for the next few weeks, you're going to see post after post from me recapping the big concepts and discussions from this event.
If the topic of leading or participating in an IT transformation is on your mind, you're in luck. This is some of the best IT transformational content I've seen -- ever. And I get to see a lot of that stuff.
But if your interests trends towards other things, you'll have to put up with me while I get all of this across the wire and into the hands of the people I know can benefit from it.
The BackdropThe event itself -- the EMC IT Leadership Council -- was the first of its kind for us. Personally, I see it as a huge success on multiple levels.
While no one will claim that we came up with The Perfect Answer, we shared an amazingly comprehensive foundation of transformational perspectives and examples. No matter where you might be in your IT transformational journey, there were powerful and experiences to share.
Fair warning: for the next few weeks, you're going to see post after post from me recapping the big concepts and discussions from this event.
If the topic of leading or participating in an IT transformation is on your mind, you're in luck. This is some of the best IT transformational content I've seen -- ever. And I get to see a lot of that stuff.
But if your interests trends towards other things, you'll have to put up with me while I get all of this across the wire and into the hands of the people I know can benefit from it.
At EMC, we've been talking "cloud" since mid-2008. Well, it's 2011, and it's sort of here.
Originally, we thought cloud was mostly a technology thing. We were wrong.
We've come to realize that "cloud" signifies a complete restructuring of the IT industry for all participants: the vendors, the routes to market -- and especially the people who consume it on behalf of the organizations they serve.
At an infrastructure level, highly-standardized variable resource pools -- whether internal or external -- have now demonstrated that they can make IT more efficient and more responsive. At an application level, cloud concepts can improve legacy application delivery as well as enable an entirely new class of applications. And at a user experience level, the hot demand for mobilized interfaces demands ever larger clouds to support them. Add in new ways of securing and managing IT, and it's a breathtaking picture.
Unfortunately, the new "supply potential" of cloud-ish technology -- by itself -- isn't enough to drive large-scale IT transformation. After all, better ways of doing things in IT can take years and years to be widely adopted, if ever.
What's more important is the new demand side: business users who now see clear alternatives to the traditional IT monopoly.
If internal IT can't help them get where they need to be, they're now more willing than ever to go outside to all manner of IT service providers. Traditional outsourcing has given way to selective out-tasking.
In between these massive shifts in IT supply and IT demand sits the IT leader squarely in the cross-hairs. Many of them feel they've got a very short window to transform their IT organizations into attractive internal service providers, or lose business (and lose relevancy) to those outside the organization who can earn the business.
That was the underlying premise of the 2.5 day session -- to bring these under-the-gun IT leaders together, share what EMC has learned, and combine it with what they've learned.
Everyone has a piece of the puzzle, it turns out.
Not Your Average Vendor Session
Most of these CIO or IT leader sessions from vendors end up being thinly veiled sales pitches for what the vendor is selling. I"m sort of proud that we made it through the entire 2.5 days without a single sales or product pitch -- although our EMC Consulting brethren were working the audience a bit :)
Just about 100% of the ideas and concepts presented are implementable in a non-EMC or non-VMware environment -- a standard to which other strategic vendors should hold themselves to.
The titles and subjects reflect what we thought was a comprehensive approach to the subject.
We started with Sanjay Mirchandani (EMC's CIO) sharing a compelling story as to why EMC decided to invest in transforming its approach to internal IT: how we did it, what we achieved and what we learned along the way.
Next up, Tom Roloff (who leads EMC Consulting) shared our best work we've done with customers on how to create the case for a transformational investment. We shared the frameworks we were using internally and externally, and presented the results of a case study we'd done with a customer. We then broke into smaller groups to discuss and brainstorm.
Next, Sandy Hamilton and Bradd Lewis (both from EMC Consulting) led a short session on assessing readiness for a transformation. The underlying concepts I thought were quite good; unfortunately, some of it got lost in translation so we'll need to come back and buff up the digestability of this content. Once again, we broke into smaller groups to discuss.
Pat Gelsinger then took us through a whirlwind tour of the technology side: how technological advances was making cloud, IT as a service and IT transformation possible. I thought I was a get-through-a-lot-of-material-quickly speaker; Pat takes it to a whole new level. Pat did share a few interesting newer nuggets, which I'll get to when I recap his presentation.
We broke for dinner, drinks and some very lively conversation. A few of us were up late :)
The following morning, Jon Peirce took the stage and spoke for close to two hours on his experiences on organizing for success. The interest level here was absolutely intense; no surprise, because when it comes to changing how an organization does what it does, it all boils down to the people.
If your time (or interest) is limited, Jon's material is perhaps the most important and relevant to IT leaders considering a transformation -- it's all about the people at the end of the day.
We then broke for some fascinating drill-downs on specific use-cases:
- transitioning IT finance
- new models for business alignment and engagement
- security and risk management in a world of APTs
- getting from "virtualized" to ITaaS
- next-gen app development
- mobile workforce strategies
- empowering big data analytics
The Outside View
Most of the topics and sessions were relatively inward focused around the emerging relationship between IT and the business. What could we do to establish a perspective outside the business -- one where IT could play a leadership role?
The answer came in the form of Peter Weill from MIT, who presented a fascinating framework on enabling "digital business models". Much food for thought there -- I think it was a perfect way to end the event. I'm looking forward to writing that specific post ...
So Here We Go
If you're interested in the "sound bites" from the event, my colleague Ken Oestreich did a nice summary on his blog here. I'd largely agree with his observations.
If you're interested in viewing the source material directly, you can find it here (no reg required, more content going up soon)
And, for the next week or so, look forward to a sequence of posts as I attempt to unpack the dozens of powerful core concepts there -- and, more importantly -- how the attendees reacted to and added to the discussion.
Thanks to all who attended -- we really appreciated your investment in time, and we hope you found it worthwhile.
By: Chuck Hollis
Friday, October 21, 2011
Consumers Need to Rethink IT Security and Safety
Hackers and crackers and data breaches! Oh my! Confused? Overwhelmed? Don’t care? You should, and there’s help.
Few people are head first into gadgets, technology, the cloud and security as I. I have my devices, my wife’s, my kids, there’s Apple products, Microsoft Windows, smart phones, feature phones and tablets. It’s maddening.
Now instead of one PC per household, consumers are purchasing multiple devices . And with consumers able to access the digital world as easily from their smartphones and tablets as from their personal computer, PCs are no longer the main method of connecting to the Internet.
This wave of new devices and their ease of connectivity also means that consumers are now starting to think differently about their digital security.
Mobile Device Users
The threat of lost or stolen devices and the possibility of their personal information being used for fraudulent means a significant concern. In the United States 113 mobile phones are lost every minute and more than half of smartphone users do not use any password protection to prevent unauthorized device access.
Mac Users
Mac OS is not safe from viruses. As of late last year there were 5,000 malware versions targeting the Mac, a number that is growing by ten percent per month.
Child and Teen Users
Are your kids they being exposed to pornography? Will they be contacted by strangers through their social networking profiles? Are they downloading age-appropriate music and movies? Having protection on the household PC is no longer enough. Parents need to know that their children are safe on all the devices they use, wherever they connect.
Solutions
It is here and called McAfee All Access. Before consumers had to look for and download a hodge podge of security software from numerous vendors with multiple “keys” to activate. What McAfee knew consumers wanted was an “all in one” solution that for once and for all provides a dashboard to manage all your devices from one place regardless of if it is a PC, smartphones, tablets, netbooks, or Mac.
By: Robert Siciliano
Few people are head first into gadgets, technology, the cloud and security as I. I have my devices, my wife’s, my kids, there’s Apple products, Microsoft Windows, smart phones, feature phones and tablets. It’s maddening.
Now instead of one PC per household, consumers are purchasing multiple devices . And with consumers able to access the digital world as easily from their smartphones and tablets as from their personal computer, PCs are no longer the main method of connecting to the Internet.
This wave of new devices and their ease of connectivity also means that consumers are now starting to think differently about their digital security.
Mobile Device Users
The threat of lost or stolen devices and the possibility of their personal information being used for fraudulent means a significant concern. In the United States 113 mobile phones are lost every minute and more than half of smartphone users do not use any password protection to prevent unauthorized device access.
Mac Users
Mac OS is not safe from viruses. As of late last year there were 5,000 malware versions targeting the Mac, a number that is growing by ten percent per month.
Child and Teen Users
Are your kids they being exposed to pornography? Will they be contacted by strangers through their social networking profiles? Are they downloading age-appropriate music and movies? Having protection on the household PC is no longer enough. Parents need to know that their children are safe on all the devices they use, wherever they connect.
Solutions
It is here and called McAfee All Access. Before consumers had to look for and download a hodge podge of security software from numerous vendors with multiple “keys” to activate. What McAfee knew consumers wanted was an “all in one” solution that for once and for all provides a dashboard to manage all your devices from one place regardless of if it is a PC, smartphones, tablets, netbooks, or Mac.
By: Robert Siciliano
Thursday, October 20, 2011
What Are Your Digital Assets Worth?
Digital assets include: entertainment files (e.g. music downloads), personal memories (e.g. photographs), personal communications (e.g. emails), personal records (e.g. health, financial, insurance), and career information (e.g. resumes, portfolios, cover letters, contacts), as well as any creative projects or hobbies involving digital files.
If your PC crashes or is hacked and your data is not properly backed up, how devastated will you be? Whether for personal use or for business, chances are you have a collection of documents, music, and photos that, if compromised, would almost feel as if your house and all your belongings had been burned up in a fire.
A recent survey found that 60% of respondents own at least three digital devices per household, while 25% own at least five. (Digital devices are mainly desktop or laptop computers, tablets, and smartphones.) As many as 41% of those surveyed spend more than 20 hours per week using a digital device for personal use. Admittedly, I’m online for at least 16 hours a day.
Photographs and similar memorabilia are the main digital asset that most people (73%) consider irreplaceable, should they be lost without having been backed up. Respondents valued personal memories at an average of $18,919, compared to $6,956 for personal records, $3,798 for career information, $2,848 for hobbies and projects, $2,825 for personal communications, and $2,092 for entertainment files.
Consumers estimate the total value of all their digital assets on multiple devices at an average of $37,438, yet more than a third lack protection for those devices.
According to Consumer Reports, malware destroyed 1.3 personal computers and cost consumers $2.3 billion in the last year. Not only have hackers continued to target PCs, with the increased popularity of tablets, smartphones, and Macs, threats are becoming both more common and more complex for non-PC devices. For example, according to McAfee Labs, malware targeted at Android devices has jumped 76% in the last three months.
Many people protect their PCs and digital assets from malware by installing antivirus software. When it comes to smartphones, tablets, and Macs, however, they leave the doors open to criminals. Bad guys are now targeting these devices, as they have become the path of least resistance. Now more than ever, a multi-device security strategy is necessary.
McAfee understood this and solved the complexity and cost pain points by developing a product called McAfee All Access (www.mcafee.com/allaccess) This is the first full security offering for Internet connected devices — from smartphones and tablets to PCs and netbooks. Basically you can get a single license for a great price to secure all of the devices you own!
Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing identity theft on YouTube. (Disclosures)
By: Robert Siciliano
If your PC crashes or is hacked and your data is not properly backed up, how devastated will you be? Whether for personal use or for business, chances are you have a collection of documents, music, and photos that, if compromised, would almost feel as if your house and all your belongings had been burned up in a fire.
A recent survey found that 60% of respondents own at least three digital devices per household, while 25% own at least five. (Digital devices are mainly desktop or laptop computers, tablets, and smartphones.) As many as 41% of those surveyed spend more than 20 hours per week using a digital device for personal use. Admittedly, I’m online for at least 16 hours a day.
Photographs and similar memorabilia are the main digital asset that most people (73%) consider irreplaceable, should they be lost without having been backed up. Respondents valued personal memories at an average of $18,919, compared to $6,956 for personal records, $3,798 for career information, $2,848 for hobbies and projects, $2,825 for personal communications, and $2,092 for entertainment files.
Consumers estimate the total value of all their digital assets on multiple devices at an average of $37,438, yet more than a third lack protection for those devices.
According to Consumer Reports, malware destroyed 1.3 personal computers and cost consumers $2.3 billion in the last year. Not only have hackers continued to target PCs, with the increased popularity of tablets, smartphones, and Macs, threats are becoming both more common and more complex for non-PC devices. For example, according to McAfee Labs, malware targeted at Android devices has jumped 76% in the last three months.
Many people protect their PCs and digital assets from malware by installing antivirus software. When it comes to smartphones, tablets, and Macs, however, they leave the doors open to criminals. Bad guys are now targeting these devices, as they have become the path of least resistance. Now more than ever, a multi-device security strategy is necessary.
McAfee understood this and solved the complexity and cost pain points by developing a product called McAfee All Access (www.mcafee.com/allaccess) This is the first full security offering for Internet connected devices — from smartphones and tablets to PCs and netbooks. Basically you can get a single license for a great price to secure all of the devices you own!
Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing identity theft on YouTube. (Disclosures)
By: Robert Siciliano
Wednesday, October 19, 2011
The Dark Side Of Clouds
In my travels, I'm starting to see a disturbing trend. I don't like it one bit.
The setup is easy. Business is demanding more from IT. IT wants to respond by being able to deliver cloud-like services internally. A group of smart people assemble to try and tackle the challenge.
And then it all goes horribly, horribly wrong.
The assembled team decides to invest many months and piles of money to go hand-craft their own "cloud" out of commodity components. Their management team, for whatever reason, allows them to go do it. Based on experiences so far, almost no one seems to be able to reach the finish line with a satisfactory result.
The first time I saw this at a large financial institution, I thought it was an anomoly. I've now seen this for the 7th or 8th time, so there's a pattern forming. And it's grim.
I've been giving some serious thought as to why some IT groups decide to go down this particular road, and others take a more pragmatic route.
And, to be honest, it's not a pretty picture.
Meet The Cloud Building Team A classic example was about six weeks ago -- I had a few hours with the "cloud team" at a relatively large financial services institution. They had started to assemble a home-grown cloud environment, and they wanted to know what commodity-like storage bits and pieces EMC might have that could help.
Not a good starting position, but I was sort of curious as to why they were going down their chosen path.
My first question -- why are you folks hand-crafting a commodity cloud vs. simply buying a pre-integrated and supported solution like a Vblock?
Obviously, to save money they replied. They felt that by using open source and commodity components, they had the potential of saving their company a "boatload" in vendor costs. Amazon had done it, Google had done, why couldn't they?
My second question -- how was it going?
A bit of a pause before the response. It was taking longer than they had originally promised their management, and they were facing more challenges than they had originally anticipated. Nothing that more time and more resources couldn't fix.
My third question -- well, how far had they gotten?
After six months, they had a modest environment of a few hundred virtual machines up and running, and it was sort of working on good days. They'd be unable to convince too many people to use the new environment -- something about stability problems, application compatibility issues, a less-than-optimal user experience, and so on. Nothing that couldn't be sorted out.
The big question -- how much money had they put into it so far?
Not much, they'd reckoned -- some commodity servers, storage, networks, etc.
Hold on -- what about all the time your team had spent so far? Six months -- how many people? Long pause.
And what about the opportunity cost? Wasn't the team six months in with nothing really usable to show so far? And no firm estimate as to how much more it was going to cost, or how long it was going to take, or even if the results would be usable? A much longer pause ensued.
I was calling their baby ugly. You could feel the tensions start to rise.
I thought for a moment as to whether or not I should bring up their perceptions of ongoing support costs associated with their pet project if it ever made it into a production environment.
I wisely decided to hold that thought, and pursue a different course.
Perceptions About The Alternative
OK, I said, you guys probably know about what VCE is doing with Vblocks, and what HP is doing, and so on. Why didn't you go down that sort of route?
The first objection was predictable: it costs too much. Really? How did the cost-to-serve numbers stack up? Well, they really hadn't done a detailed comparison, but they just felt that by going down the open source and commodity component route, they'd end up saving money.
After all, that's what the big cloud boys did -- Facebook, Twitter, et. al.
The second objection was also predictable: they wanted to avoid vendor lock in. They felt that if they started with something like a Vblock, they'd be forced to stay with something like a Vblock, especially if they wanted to introduce another flavor of storage, server, network, hypervisor, etc. They felt that utter flexibility to mix and match components was essential.
That's interesting, I thought. How did they feel about their mainframe environment? Their corporate network? Their email and database environment? Their purchased applications? Weren't those largely vendor-specific enterprise-class environments?
Yes, the claimed, and that was precisely what they wanted to avoid this time around.
I kind of sat back and thought about what they were saying -- I was quiet for a while. I wasn't quite sure where to take the discussion, really. I needed time to regroup.
One of the senior guys spoke up after a bit, maybe being a bit too honest.
Look, he said, there are going to be a lot of financial institutions that are going to want to run on commodity clouds in the future. If they could figure out how to make it work here, there'd be strong demand for that skill set and expertise elsewhere.
Wow. I really had to think about that one. I was largely dumbstruck -- ultimately, this wasn't necessarily about doing what was best for the business. Now it seemed that part of the agenda was about helping the participants create a marketable set of in-demand skills. Wow.
What Could I Say?
There comes a time in some customer discussions where you assess the situation, and the logical course of action is to beat a hasty retreat. This particular conversation wasn't going anywhere fast.
They had ostensibly brought EMC in to talk about some of our specific storage products that might work in their environment. They were curious about what Atmos was all about. They wanted to know what they upper-end of the Iomega range could do for them, and they had a passing interest in low-cost, high-density and high-bandwidth modular storage arrays. I told them what I knew.
One of the guys in the room kept interrupting me and wanted to know what the effective price per usable gigabyte was for each of the products I was talking about. I guess I frustrated him, because I just didn't know what the current answer was -- the prices drop routinely as the components change.
After about 15 minutes of that, I did come up with one last proposition to try and salvage the original thread.
The Proposition
Look, your team has been chartered to deliver a cloud-like environment to IT so they can start delivering variable IT services back to the business. You're under the gun to deliver something usable, and soon. And you've convinced yourself that the right path is to roll your own.
Since there's a lot at stake, why don't you understand your competition?
Bring in a small Vblock, see what it can do and use it as a benchmark to compare your internal efforts. Compare costs, compare functionality, compare stabilty, compare integration, compare compatibility, compare support, etc.
If you can do better, faster and cheaper with your own home grown efforts, great. You'll have accomplished something substantial. But at least you'll know what competitive alternatives can do -- you'll have the facts. And if you can't do better on your own, you'll know that sooner than later.
They politely thanked me for my suggestion. I knew that they'd never consider it seriously.
Later Reflections
As I was walking out, I was thinking about all the Vblocks that went in shortly after the Big Homegrown Cloud Project had visibly failed. I could have shared that with the team, but I don't think it would have mattered.
I could have made the case that Amazon, Google, Facebook, Twitter, et. al. have a very different business model (not to mention application profile!) than large financial institutions. I don't think that would have mattered either.
I could have made a case that changing how IT operates -- and how it interacts with the business -- is the *real* heavy lifting around clouds and IT-as-a-service. And, instead, they were spending all their precious resources on re-inventing the wheel. I don't think that one would have worked.
I could have made a case that getting something workable and usable on the floor probably mattered more to the business people who were paying the bills than their elongated and uncertain approach. I'd be just talking to the wind on that one ...
The sales rep was looking for some ideas on what to do next at the account.
The first thing that came to my mind was simple: go find some grown-ups, and tell them what's going on. At some point, a legitimate business requirement had obviously turned into a self-satisfiying science project for the participants. Their cloud project wasn't going well. However, their defense and rationalization mechanisms were working quite well indeed.
Based on my experience, the prognosis was not good. The sooner someone who was paying the bills realized it, the better.
And, no, you weren't going to earn any brownie points with the "cloud team" in the process.
The bottom line? Had they chosen a different path, they would have been using their cloud in production for several months. They'd be moving on to the next challenge. Or, they could look at what VCE had done, and make an informed case to do better themselves.
Instead, it looked like all they had a pile of assembled components, and nothing really useful to show other than some interesting experiences and some more stuff to put on their resume.
Sure, there are cases I've seen where -- yes -- it could make sense to invest in a big team and a big project to create a hand-crafted cloud. But that's the rare exception, and only after a sober analysis of the costs and benefits of doing so.
The first few times I saw this, it was unusual. But it seems to be happening more.
And I think that's not too good for anyone.
By: Chuck Hollis
The setup is easy. Business is demanding more from IT. IT wants to respond by being able to deliver cloud-like services internally. A group of smart people assemble to try and tackle the challenge.
And then it all goes horribly, horribly wrong.
The assembled team decides to invest many months and piles of money to go hand-craft their own "cloud" out of commodity components. Their management team, for whatever reason, allows them to go do it. Based on experiences so far, almost no one seems to be able to reach the finish line with a satisfactory result.
The first time I saw this at a large financial institution, I thought it was an anomoly. I've now seen this for the 7th or 8th time, so there's a pattern forming. And it's grim.
I've been giving some serious thought as to why some IT groups decide to go down this particular road, and others take a more pragmatic route.
And, to be honest, it's not a pretty picture.
Meet The Cloud Building Team A classic example was about six weeks ago -- I had a few hours with the "cloud team" at a relatively large financial services institution. They had started to assemble a home-grown cloud environment, and they wanted to know what commodity-like storage bits and pieces EMC might have that could help.
Not a good starting position, but I was sort of curious as to why they were going down their chosen path.
My first question -- why are you folks hand-crafting a commodity cloud vs. simply buying a pre-integrated and supported solution like a Vblock?
Obviously, to save money they replied. They felt that by using open source and commodity components, they had the potential of saving their company a "boatload" in vendor costs. Amazon had done it, Google had done, why couldn't they?
My second question -- how was it going?
A bit of a pause before the response. It was taking longer than they had originally promised their management, and they were facing more challenges than they had originally anticipated. Nothing that more time and more resources couldn't fix.
My third question -- well, how far had they gotten?
After six months, they had a modest environment of a few hundred virtual machines up and running, and it was sort of working on good days. They'd be unable to convince too many people to use the new environment -- something about stability problems, application compatibility issues, a less-than-optimal user experience, and so on. Nothing that couldn't be sorted out.
The big question -- how much money had they put into it so far?
Not much, they'd reckoned -- some commodity servers, storage, networks, etc.
Hold on -- what about all the time your team had spent so far? Six months -- how many people? Long pause.
And what about the opportunity cost? Wasn't the team six months in with nothing really usable to show so far? And no firm estimate as to how much more it was going to cost, or how long it was going to take, or even if the results would be usable? A much longer pause ensued.
I was calling their baby ugly. You could feel the tensions start to rise.
I thought for a moment as to whether or not I should bring up their perceptions of ongoing support costs associated with their pet project if it ever made it into a production environment.
I wisely decided to hold that thought, and pursue a different course.
Perceptions About The Alternative
OK, I said, you guys probably know about what VCE is doing with Vblocks, and what HP is doing, and so on. Why didn't you go down that sort of route?
The first objection was predictable: it costs too much. Really? How did the cost-to-serve numbers stack up? Well, they really hadn't done a detailed comparison, but they just felt that by going down the open source and commodity component route, they'd end up saving money.
After all, that's what the big cloud boys did -- Facebook, Twitter, et. al.
The second objection was also predictable: they wanted to avoid vendor lock in. They felt that if they started with something like a Vblock, they'd be forced to stay with something like a Vblock, especially if they wanted to introduce another flavor of storage, server, network, hypervisor, etc. They felt that utter flexibility to mix and match components was essential.
That's interesting, I thought. How did they feel about their mainframe environment? Their corporate network? Their email and database environment? Their purchased applications? Weren't those largely vendor-specific enterprise-class environments?
Yes, the claimed, and that was precisely what they wanted to avoid this time around.
I kind of sat back and thought about what they were saying -- I was quiet for a while. I wasn't quite sure where to take the discussion, really. I needed time to regroup.
One of the senior guys spoke up after a bit, maybe being a bit too honest.
Look, he said, there are going to be a lot of financial institutions that are going to want to run on commodity clouds in the future. If they could figure out how to make it work here, there'd be strong demand for that skill set and expertise elsewhere.
Wow. I really had to think about that one. I was largely dumbstruck -- ultimately, this wasn't necessarily about doing what was best for the business. Now it seemed that part of the agenda was about helping the participants create a marketable set of in-demand skills. Wow.
What Could I Say?
There comes a time in some customer discussions where you assess the situation, and the logical course of action is to beat a hasty retreat. This particular conversation wasn't going anywhere fast.
They had ostensibly brought EMC in to talk about some of our specific storage products that might work in their environment. They were curious about what Atmos was all about. They wanted to know what they upper-end of the Iomega range could do for them, and they had a passing interest in low-cost, high-density and high-bandwidth modular storage arrays. I told them what I knew.
One of the guys in the room kept interrupting me and wanted to know what the effective price per usable gigabyte was for each of the products I was talking about. I guess I frustrated him, because I just didn't know what the current answer was -- the prices drop routinely as the components change.
After about 15 minutes of that, I did come up with one last proposition to try and salvage the original thread.
The Proposition
Look, your team has been chartered to deliver a cloud-like environment to IT so they can start delivering variable IT services back to the business. You're under the gun to deliver something usable, and soon. And you've convinced yourself that the right path is to roll your own.
Since there's a lot at stake, why don't you understand your competition?
Bring in a small Vblock, see what it can do and use it as a benchmark to compare your internal efforts. Compare costs, compare functionality, compare stabilty, compare integration, compare compatibility, compare support, etc.
If you can do better, faster and cheaper with your own home grown efforts, great. You'll have accomplished something substantial. But at least you'll know what competitive alternatives can do -- you'll have the facts. And if you can't do better on your own, you'll know that sooner than later.
They politely thanked me for my suggestion. I knew that they'd never consider it seriously.
Later Reflections
As I was walking out, I was thinking about all the Vblocks that went in shortly after the Big Homegrown Cloud Project had visibly failed. I could have shared that with the team, but I don't think it would have mattered.
I could have made the case that Amazon, Google, Facebook, Twitter, et. al. have a very different business model (not to mention application profile!) than large financial institutions. I don't think that would have mattered either.
I could have made a case that changing how IT operates -- and how it interacts with the business -- is the *real* heavy lifting around clouds and IT-as-a-service. And, instead, they were spending all their precious resources on re-inventing the wheel. I don't think that one would have worked.
I could have made a case that getting something workable and usable on the floor probably mattered more to the business people who were paying the bills than their elongated and uncertain approach. I'd be just talking to the wind on that one ...
The sales rep was looking for some ideas on what to do next at the account.
The first thing that came to my mind was simple: go find some grown-ups, and tell them what's going on. At some point, a legitimate business requirement had obviously turned into a self-satisfiying science project for the participants. Their cloud project wasn't going well. However, their defense and rationalization mechanisms were working quite well indeed.
Based on my experience, the prognosis was not good. The sooner someone who was paying the bills realized it, the better.
And, no, you weren't going to earn any brownie points with the "cloud team" in the process.
The bottom line? Had they chosen a different path, they would have been using their cloud in production for several months. They'd be moving on to the next challenge. Or, they could look at what VCE had done, and make an informed case to do better themselves.
Instead, it looked like all they had a pile of assembled components, and nothing really useful to show other than some interesting experiences and some more stuff to put on their resume.
Sure, there are cases I've seen where -- yes -- it could make sense to invest in a big team and a big project to create a hand-crafted cloud. But that's the rare exception, and only after a sober analysis of the costs and benefits of doing so.
The first few times I saw this, it was unusual. But it seems to be happening more.
And I think that's not too good for anyone.
By: Chuck Hollis
Tuesday, October 18, 2011
The Shape Of The New Storage Market
Part of my role here at EMC is to spend time with what we call the "industry influencers" -- the press, analysts, and the consultants who ostensibly shape public perceptions.
When it comes to EMC's storage business, they collectively seem to be fascinated by one minor market development or another -- mostly it's about a specific technology and specific vendors. Only a few seem to have an appreciation for the big, secular trends that are driving the transformation of storage technology -- and the vendors that play.
Although EMC doesn't have an official talk track on "the changing shape of the storage industry", I do have a personal one.
And, if you're interested, I'd like to share the back story of how I put all of the day-to-day discussion into a broader framework.
When it comes to EMC's storage business, they collectively seem to be fascinated by one minor market development or another -- mostly it's about a specific technology and specific vendors. Only a few seem to have an appreciation for the big, secular trends that are driving the transformation of storage technology -- and the vendors that play.
Although EMC doesn't have an official talk track on "the changing shape of the storage industry", I do have a personal one.
And, if you're interested, I'd like to share the back story of how I put all of the day-to-day discussion into a broader framework.
It's Not About Storage, It's About Information I suppose a good starting point is that storage is merely a receptacle for information. It's the information that matters.
We're all familiar with the bold statements around explosive information growth. I paint information growth as the inevitable consequence of a shift to an information economy -- one where information (and value-added around information) becomes the prime motivator of value.
Of all the fundamental IT infrastructure technologies, only storage is persistent. Networks don't retain information, nor do CPUs. To me, this means that storage growth is on a fundamentally different market growth trajectory than, say, bandwidth or processor speed. And any big market attracts a lot of attention.
The reason I call this out is simple: way too often people who get close to the topic can lose sight of what this stuff is actually being used for :)
Big Idea #1 -- The Fundamental Storage Technologies Are Changing
At the storage device level, I think most people realize we're in the midst of two fundamental storage media changes. Tape is rapidly being replaced by disk for backup and archive, and flash is the process of replacing both spinning disks and DRAM-based storage caches.
The key to both transitions is not hardware, but intelligent software that makes extracting the benefit from these new technologies transparent for their users. In the EMC portfolio, examples would be DataDomain's operating system for backup, and FAST for primary storage.
The way that these technologies are being assembled are changing as well. Industry standard components and building blocks (think Intel) are now the norm vs. proprietary chips and architectures. Traditional scale up storage architectures are quickly giving way to scale-out that start smaller and get linearly get bigger and faster.
Storage technology isn't just about isolated arrays anymore, either. The storage architectural domain now projects upwards into the server and hypervisor (think server-based flash storage and path management) as well as outwards across meaningful distance (think replication and geographic optimization, for example).
Many people have noticed that the classic lines between "what is a storage array" and "what is a server" are starting to blur. The parts are the same, the roles assigned are becoming largely arbitrary. Consider, for example, EMC's recent demos of virtual machines being VMotioned to an Isilon array. Or VMware's "soft" storage array that runs as a virtual machine.
And that's going to continue. The result? "Storage" become something that needs to get done in the infrastructure. And it won't necessarily be done by a well-defined box to point to.
Big Idea #2 -- Storage Integration And Convergence Matters
People love to talk about storage as an isolated topic, but that's getting much harder and harder to do. Why? Customers are demanding integration and convergence for all the right reasons -- and in a dizzying number of vectors.
Take the current hot topic of server virtualization integrating with storage, for example. Or storage integrating with IT management and operations frameworks. Or storage and security. Or storage enforcing information management policies.
The importance of tight integration between storage and adjacent IT disciplines is sometimes becoming more important than the storage itself.
Consider application integration. Is your storage environment smart about SharePoint? Oracle? SAP? Exchange? Spring? Can application administrators easily take advantage of specific storage features designed for their world? EMC can have a rich, standalone discussion with Oracle DBAs, Exchange administrators, SharePoint architects, SAP consultants, mdeia workflow people, big data folks, etc. etc. and be very clear about how we've invested in making their lives easier.
Or, perhaps consider the end case of infrastructure integration -- converged environments such as a Vblock. Or smaller environments where IT generalists have to do it all, such as with Unisphere. In these environments, storage largely ceases to be an individual discipline and technology domain, and blends in to become "part of the whole".
The larger and more important the storage environment, the more important that it integrates tightly with the needs of other IT stakeholders: the virtualization team, the networking team, the security team, the application teams, the operations teams and so on. Or conversely, if there's a small number of IT people trying to manage a large environment, integration and simplicity becomes just as important.
Thinking of storage as a standalone topic largely misses this "touches everything" aspect. And the importance of integration is only going to increase over time.
Big Idea #3 -- Storage Consumption Models Are Changing
The world is going cloud, and IT is becoming "as a service". Sometimes those services are generated internally; increasingly these services will be provided externally via service providers.
These user-visible IT services are in turn built on layered services, and storage is coming into quick focus as a candidate to be delivered as a service.
Why? Everyone uses storage. Here's your service catalog, here's your consumption model, what would you like?
Larger enterprise will inevitably need to adopt a storage-as-a-service mindset before too long. And IT service providers are finding willing customers who want the convenience and flexibility of variable external services -- whether it's just storage itself, or wrapped into a higher-level service offering.
EMC storage products and methodologies are already being used to deliver storage as a service -- both for enterprise customers and the newer crop of IT service providers. And our recent investment in growing a cadre of compatible service providers means that our customers will have even more options to do it themselves, or have someone do it on their behalf.
Don't Miss The Big Picture
I'm like a lot of people out there -- I scour the internet for news about new storage technologies, new vendors doing interesting things with storage, and the like. As a matter of fact, a lot of people at EMC do the same thing :)
But the difference is that here at EMC we have a few fundamental beliefs in how the storage world is changing. We've made our bets, with more on the horizon. To be clear, EMC hasn't stopped investing around these fundamental shifts -- some the coolest stuff is yet to come.
To be successful in the storage business these days, it's clear to me that successful vendors will need more than a few products to cover the major bases. And larger IT vendors who treat storage as merely a sideline to their other businesses will likely not fare well -- you've got to be prepared to make some pretty big bets and see them through for multiple years.
Unfortunately, the picture isn't especially pretty for smaller vendors in this regard. I think the storage market has matured to the point where it is going to be exceedingly difficult for a new company with a hot product to make a significant dent in the storage marketplace -- unless they're acquired by a bigger company, that is ...
What does this mean for customers?
It's easy -- and it's hard. If you step back, I think it's relatively easy to see how the storage world is changing, and how that might affect your day-to-day decisions. Yes, it's a noisy marketplace with everyone claiming a slightly different point of view, but the big themes are there for all to see.
Doing something about it in your specific environment, well, that can be decidedly more difficult :)
By: Chuck Hollis
Monday, October 17, 2011
Clouds and Public Policy -- The Developing Economy View
A while back, I wrote a post recapping the work of the CLOUD2 advisory group, chartered with giving the US government a useful perspective on areas where US public policy can help -- or hurt -- in helping to capitalize on cloud models.
As a reasonably developed economy, the US example is illustrative, but what about developing economies? How should they look at the potential opportunity from their perspective?
Having just returned from Dubai in the UAE, this was the one topic that seemed to bubble up in most of my conversations with the press, local analysts and many of the larger customers and partners --
how can public policy create new opportunities in the face of a shift to an information economy powered by clouds?
And I think my Dubai experience might be a useful model for other aggressively developing economies.
As a reasonably developed economy, the US example is illustrative, but what about developing economies? How should they look at the potential opportunity from their perspective?
Having just returned from Dubai in the UAE, this was the one topic that seemed to bubble up in most of my conversations with the press, local analysts and many of the larger customers and partners --
how can public policy create new opportunities in the face of a shift to an information economy powered by clouds?
And I think my Dubai experience might be a useful model for other aggressively developing economies.
A Bit About Dubai I had heard stories, but I had never been. I'm glad I made the trip, it was eye-opening on multiple levels.
From the desert, an economic miracle has been born, driven largely by progressive government leadership in key areas. In a nutshell, it's an open, multicultural economic capital for the greater Middle East, and most of Africa.
I think of Dubai much as I do Hong Kong for China, London for Europe, Miami for Latin America, and so on - a hub for commerce. EMC, for example, covers the region from Dubai with 450 employees.
I was in town for GITEX event: keynotes, customer and partner meetings, and so on. GITEX itself covers the range of technology from consumer to large-scale enterprise -- it was big, diverse and vibrant. If you remember the old COMDEX shows from the 1980s, you'll get a sense for the size and scope.
And, yes, they had a "cloud" track much as you'd expect :)
I had fully expected to see a thriving service provider market serving not only the UAE, but the broader region. It really wasn't there. I was surprised.
From an outsider's perspective, conditions for an SP-focused IT market seemed perfect: regional hub, thriving economy, critical shortages in key IT talent, stable and progressive government, and so on.
Yes, there were a few SPs poking around in the shadows, but it wasn't the same as say, ANZ or the Nordics or Canada or the UK or other places where there's a wholesale transition to an SP-centric IT consumption model.
What was the missing ingredient?
Turns out that I was not the only one wondering about that question -- it was on a lot of people's minds. How can Dubai position itself to be a regional hub in IT services, much the way it has become a regional hub for finance, commerce, etc.? And what role should public policy play?
So I had to give it some thought ...
The Opportunity
Dubai's economic roots started by being a free-trade zone. If you wanted to move goods from here to there in the region, the port of Dubai was the place to do it. Over time, that open philosophy carried through to financial flows -- money moving in and out -- and talent flows as well. It's relatively rare to meet someone originally from the UAE; just about everyone seems to be from somewhere else.
Carry that "open" thought through to the new economy: global information flows and the clouds that power them. Organizations in the region want to use IT services, and not necessarily own them. Whether that customer is a local company, a regional player, or perhaps a multinational doing business in the Middle East -- there's a clear incentive to rent IT services vs. investing in building your own.
The technology is there. The opportunity is there. The customers are there. The passion and vision is there.
So, what's missing?
The Potential Role Of Public Policy In Developing Economies
Assume, for the moment, that a progressive government sees the cloud opportunity forming, and wants to do the right thing to move things along without too much meddling. What should the thinking be?
First question: does the government respect data rights the same way it respects property rights, financial rights, and so forth?
Organizations need clear and unfettered rights to their data. For example, in Europe the US Patriot act causes justifiable concern that a US government agency can force a US-based cloud provider to hand over personal and corporate data with scant protections for the owner.
Clearly, government policy can help here. Crisp statements on information ownership rights, and transparency around judicial processes involved can go a long way. You wouldn't do business in a country where your financial assets could be arbitrarily seized without due process; the same concerns apply to corporate information.
Second question: are the required good pipes in place?
Previous models of economic development focused on transportation infrastructure: highways, ports, airports and the like. In the information economy, it's all about the network.
Long-haul internet connections are always important, but if you accept the notion that most of the opportunity is in providing regional support, the connectivity between geographically adjacent markets becomes more important. And network performance should be predictable, and not impacted by filtering or monitoring activities.
Third question: is local education investing in the new generation of required skills?
At the end of the day, IT leadership boils down to talent, and -- in a cloud-based world, the required skills are scarce. There's a sharp contrast in the educational profile between traditional IT and the new forms. An opportunity to differentiate, if there ever was one.
EMC contiues to invest heavily in forming partnerships with academic institutions, but you'd be surprised how much organizational resistance we can encounter trying to convince academic leaders to invest in cutting-edge IT curriculae.
A gentle but firm push from governmental authorities would certainly be helpful :)
Fourth question: are government agencies strongly encouraged to use external service providers for their IT?
Governments spend a lot on IT, and their clear willingness to direct that spend to external service providers would inevitably draw the investment dollars need to bootstrap more than a few regional service providers. It doesn't have to be the uber-critical, super-sensitive stuff -- even the more routine administrative workloads generated by a government are substantial when considered in their entirety.
A "service provider first" policy for IT procurement makes sense in this context.
There's More ...
I'm sure there's a role for tax incentives and investment credits, but governments know how do those sorts of things. A few developing economies have expressed their interest in creating a "government cloud" for local businesses, but the idea of government employees (supervised by politicians!) trying to run a competitive IT service strikes me as impractical as best.
Better to create the incentives for private organizations, vs. trying to behave like a private organization.
Governments can also create tax incentives for local businesses to use external services vs. trying to do things themselves. For example, a tax on IT infrastructure products not being used by service providers might be an interesting avenue.
The Opportunity?
When big transitions occur, there's challenge, and there's opportunity. I strongly believe the next wave of economic development and growth will be information-based, powered by clouds, and delivered by service providers.
I think there's a clear case that can be made that a progressive government can do much to help capitalize on this mega-trend.
Wise policy-makers will hopefully realize that a handful of timely forward-looking actions will make all the difference between being a regional leader, and being a laggard.
By: Chuck Hollis
Thursday, October 13, 2011
Spammers Pay Tribute to Icons with Atrocious Malware
Contributor: Christopher Mendes
When stalwarts pass away the world mourns their loss, tributes flow and emotions run high. Whenever we lose a legendary figure, their death brings shock or grief and people are hungry for any and every available piece of information about the "How" and the "Why" and the "When" related to the death of these important figures.
We studied the aftermath of these icons’ passing and the eulogy written by spammers. The spammer’s sole motive is to use incidents to compromise weak systems. On further examination of the collected data we traced a predictable pattern, the details of which are given below:
As in the case when Michael Jackson passed away, spammers started spreading a rumor through email which stated 'Michael Jackson is not dead'. The same pattern was used when Amy Winehouse suddenly passed away. And when visionary Steve Jobs passed away.
But, in all these cases, it was not just false rumors but malicious code that was being transferred to computers in various ways (using iframes, redirecting users to malicious Web pages, and/or malware as embedded attachments). People jumped to open such links, under the influence of their emotions over news of the tragic events, and spammers thrived by discovering and exploiting the vulnerabilities available on users’ systems.
Users can definitely deny spammers satisfaction by checking emotions and withholding curiosity. Use a little bit of caution before clicking on any unknown link. Symantec provides regular security updates to stave off any such misadventure from spammers. Regularly update your security products and stay safe.
By: Samir Patil
When stalwarts pass away the world mourns their loss, tributes flow and emotions run high. Whenever we lose a legendary figure, their death brings shock or grief and people are hungry for any and every available piece of information about the "How" and the "Why" and the "When" related to the death of these important figures.
We studied the aftermath of these icons’ passing and the eulogy written by spammers. The spammer’s sole motive is to use incidents to compromise weak systems. On further examination of the collected data we traced a predictable pattern, the details of which are given below:
| Michael Jackson | Subject: Michael Jackson not dead Subject: Michael Jackson seen alive Subject: Michael Jackson lives | W32.HLLP.Sality.O W32.Pinfi Trojan.Dropper W32.Ackantta.F@mm Downloader.Psyme Backdoor.Trojan |
| Amy Winehouse | Subject: Ravages of the drug in the body of Amy Winehouse Subject: Amy Winehouse Not Dead | Infostealer.Bancos |
| Steve Jobs | Subject: Is Steve Jobs Really Dead? Subject: Steve Jobs Alive! Subject: Steve Jobs Not Dead! Subject: Steve Jobs: Not Dead Yet! Subject: Steve Jobs Alive and Well? | Blackhole Exploit |
As in the case when Michael Jackson passed away, spammers started spreading a rumor through email which stated 'Michael Jackson is not dead'. The same pattern was used when Amy Winehouse suddenly passed away. And when visionary Steve Jobs passed away.
But, in all these cases, it was not just false rumors but malicious code that was being transferred to computers in various ways (using iframes, redirecting users to malicious Web pages, and/or malware as embedded attachments). People jumped to open such links, under the influence of their emotions over news of the tragic events, and spammers thrived by discovering and exploiting the vulnerabilities available on users’ systems.
Users can definitely deny spammers satisfaction by checking emotions and withholding curiosity. Use a little bit of caution before clicking on any unknown link. Symantec provides regular security updates to stave off any such misadventure from spammers. Regularly update your security products and stay safe.
By: Samir Patil
Wednesday, October 12, 2011
New Symantec Research: The Motivations of Recent Android Malware
For years now, we in the cyber security industry have been saying an explosion of mobile malware is just around the corner. Beginning in earnest this year, we have indeed observed a marked increase in threats targeting mobile devices – particularly the Android platform. However, it’s probably not accurate to say the expected explosion has in fact occurred. The reality is that cybercriminals are still very much in the exploratory phase of figuring out how to monetize the exploitation of mobile devices.
This is the topic of Symantec’s latest research. You can read the whitepaper in its entirety here.
Above all else, our analysis highlights how most current efforts to monetize mobile malware have only a low revenue-per-infection ratio. This has severely limited the return on investment achievable by attackers. It also offers detailed insight into the top current mobile malware monetization schemes observed by Symantec, including how each works and examples of the malware presently being used to carry them out. These schemes are:
Many vendors are now using mobile devices such as smartphones and tablets as point-of-sale devices. For example, a farmer’s market vendor or a taxi driver may now swipe your credit card through their personal smartphone rather than a dedicated point-of-sale device. Alternatively, a big box retailer may replace their existing point-of-sale devices with well known smartphones or tablets. A malicious attacker who has infected these devices, which is likely easier than infecting existing point-of-sale devices, could potentially skim every credit card transaction.
Additional potential revenue-generating schemes likely to be seen in the near future are discussed as well. These include:
By: Eric Chien
This is the topic of Symantec’s latest research. You can read the whitepaper in its entirety here.
Above all else, our analysis highlights how most current efforts to monetize mobile malware have only a low revenue-per-infection ratio. This has severely limited the return on investment achievable by attackers. It also offers detailed insight into the top current mobile malware monetization schemes observed by Symantec, including how each works and examples of the malware presently being used to carry them out. These schemes are:
- Premium-rate number billing scams
- Spyware
- Search engine poisoning
- Pay-per-click scams
- Pay-per-install schemes
- Adware
- Stealing mobile transaction authentica¬tion numbers (mTAN)
Many vendors are now using mobile devices such as smartphones and tablets as point-of-sale devices. For example, a farmer’s market vendor or a taxi driver may now swipe your credit card through their personal smartphone rather than a dedicated point-of-sale device. Alternatively, a big box retailer may replace their existing point-of-sale devices with well known smartphones or tablets. A malicious attacker who has infected these devices, which is likely easier than infecting existing point-of-sale devices, could potentially skim every credit card transaction.
Additional potential revenue-generating schemes likely to be seen in the near future are discussed as well. These include:
- Selling stolen International Mobile Equipment Identity (IMEI) numbers for use on previously blocked or counterfeit phones.
- Peddling fake mobile security products—another tactic that has been highly successful in the PC realm.
By: Eric Chien
Tuesday, October 11, 2011
Backdoor.R2D2: The Long Arm of the Law?
On October 9th a German hacker group going by the name of the Chaos Computer Club (CCC) published an analysis of what they claim to be government spying software. The analysis is a 20 page PDF file describing how the software works. In addition, CCC made available a copy of the software on their website in the form of a .dll file and a .sys file (driver file). The CCC has not offered any proof of their claims that these are government affiliated samples.
Symantec has performed an initial analysis on the samples and has confirmed much of the functionality as described in the CCC document. The samples are malware--which Symantec detects as Backdoor.R2D2--that opens a back door allowing a remote attacker to access the compromised computer.
The back door .dll file, mfc42ul.dll, monitors chat and VOIP applications and is able to intercept status changes in the software, such as an incoming or outgoing call. It includes functionality to take screenshots of the desktop and upload this to a remote command and control (C&C) server.
Stolen data is AES encrypted using a static key stored in the executable. Commands are retrieved from the C&C over TCP port 443 in plain text.
The accompanying driver file, winsys32.sys, contains code to implement a keylogger, but this code does not appear to get activated. The driver can be controlled from the .dll file in order to perform the following actions:
By: Gavin O Gorman
Symantec has performed an initial analysis on the samples and has confirmed much of the functionality as described in the CCC document. The samples are malware--which Symantec detects as Backdoor.R2D2--that opens a back door allowing a remote attacker to access the compromised computer.
The back door .dll file, mfc42ul.dll, monitors chat and VOIP applications and is able to intercept status changes in the software, such as an incoming or outgoing call. It includes functionality to take screenshots of the desktop and upload this to a remote command and control (C&C) server.
Stolen data is AES encrypted using a static key stored in the executable. Commands are retrieved from the C&C over TCP port 443 in plain text.
The accompanying driver file, winsys32.sys, contains code to implement a keylogger, but this code does not appear to get activated. The driver can be controlled from the .dll file in order to perform the following actions:
- Create files
- Write files
- Rename files
- Delete files
- Create/modify registry entries
By: Gavin O Gorman
Friday, October 7, 2011
Security 101: Vulnerabilities, Part 1
Welcome back to Security 101.
The topic of today’s blog is vulnerabilities. In our frequent McAfee Labs Threat Advisories you see the term vulnerability in almost every item. “A vulnerability has been found…” or “A vulnerability in some versions of…” are commonplace. What is a vulnerability?
A vulnerability is a program bug that under certain circumstances makes the program behave incorrectly. Vulnerabilities are certain types of bugs that allow other people (usually attackers) to take advantage of them to abuse the program.
A useful analogy is to compare a system with a building. The operating system (OS) is the structure, giving support and foundation to the system, and the applications are the building’s rooms or the rooms contents. In this analogy, the users are the inhabitants of the building.
Each room in a building has a door, the communications channel between an application and the OS. Some even have windows, which allow programs to communicate with the exterior or the environment, as Internet browsers or email clients.
A vulnerability is a flaw in the structure of the room—a door or window that shouldn’t exist, or a hole in the wall. This flaw could allow strangers to infiltrate the building, or to leave packages that could damage the building. That is why, for a system to be secure, the number of vulnerabilities must as few as possible because they are the entrance points for intruders and malware.
Not all vulnerabilities are equal. There are different kinds, with different effects, but all of them fall in one of two categories: local or remote. A local vulnerability is one that requires the intruder to have physical access to the machine, to the hardware itself, either with his or her own credentials or with stolen ones. For our analogy, this intruder must be an inhabitant of the building or must impersonate one.
A remote vulnerability, on the other hand, does not require the intruder to be present. It is enough for an attacker to send to the system a malicious file, a package with a very nasty surprise. This is why a remote vulnerability is always more dangerous than a local one.
We also classify vulnerabilities by risk level: high, medium, or low risk. Risk depends a lot on the criteria used by each person; at McAfee we define risks to make it clear to our customers what they should expect. Today we will look at only high-risk vulnerabilities; next time we will examine medium- and low-risk flaws.
High-Risk Vulnerabilities:
To see examples of these vulnerabilities, take a look at our McAfee Security Awareness Community, where we post all of our Threat Advisories.
Next: Part 2: Medium- and Low-Risk Vulnerabilities
By: Francisca Moreno
The topic of today’s blog is vulnerabilities. In our frequent McAfee Labs Threat Advisories you see the term vulnerability in almost every item. “A vulnerability has been found…” or “A vulnerability in some versions of…” are commonplace. What is a vulnerability?
A vulnerability is a program bug that under certain circumstances makes the program behave incorrectly. Vulnerabilities are certain types of bugs that allow other people (usually attackers) to take advantage of them to abuse the program.
A useful analogy is to compare a system with a building. The operating system (OS) is the structure, giving support and foundation to the system, and the applications are the building’s rooms or the rooms contents. In this analogy, the users are the inhabitants of the building.
Each room in a building has a door, the communications channel between an application and the OS. Some even have windows, which allow programs to communicate with the exterior or the environment, as Internet browsers or email clients.
A vulnerability is a flaw in the structure of the room—a door or window that shouldn’t exist, or a hole in the wall. This flaw could allow strangers to infiltrate the building, or to leave packages that could damage the building. That is why, for a system to be secure, the number of vulnerabilities must as few as possible because they are the entrance points for intruders and malware.
Not all vulnerabilities are equal. There are different kinds, with different effects, but all of them fall in one of two categories: local or remote. A local vulnerability is one that requires the intruder to have physical access to the machine, to the hardware itself, either with his or her own credentials or with stolen ones. For our analogy, this intruder must be an inhabitant of the building or must impersonate one.
A remote vulnerability, on the other hand, does not require the intruder to be present. It is enough for an attacker to send to the system a malicious file, a package with a very nasty surprise. This is why a remote vulnerability is always more dangerous than a local one.
We also classify vulnerabilities by risk level: high, medium, or low risk. Risk depends a lot on the criteria used by each person; at McAfee we define risks to make it clear to our customers what they should expect. Today we will look at only high-risk vulnerabilities; next time we will examine medium- and low-risk flaws.
High-Risk Vulnerabilities:
- Remote Code Execution (RCE): The most risky vulnerability, RCE, when fully exploited, allows an attacker to take full control of the vulnerable system. It would be like putting a robot inside the flawed room that could do anything the attacker wanted, even affect other rooms or the structure itself. Some of the most dangerous malware needs this kind of vulnerability to work, because the flaw allows the malware to run without alerting the users. If a security patch covers this, it usually means the risk is great. It’s best to heed the warning.
- Denial of Service (DoS): Another high-risk vulnerability, a DoS can freeze or crash the vulnerable program, or even the hardware itself in the worst cases. In this case the room’s door and windows are completely blocked, isolating the room from the building or the exterior. If the flaw is in the building itself, then the whole structure is cut off. Attacks by the Anonymous Group were examples of exploited DoS vulnerabilities. It is not difficult to imagine the chaos if the structure under attack is a router, server, or any other network infrastructure. A DoS vulnerability can vary in seriousness; it depends on which room is blocked. A closet could be less important than a bathroom or a meeting room.
To see examples of these vulnerabilities, take a look at our McAfee Security Awareness Community, where we post all of our Threat Advisories.
Next: Part 2: Medium- and Low-Risk Vulnerabilities
By: Francisca Moreno
Thursday, October 6, 2011
In 1990, when only the government and a number of universities were using the Internet, there were 357 unique pieces of malware. The need for security began with desktop computing when the only means of compromising data was by inserting a contaminated floppy disk into a PC or opening an infected email attachment. That was the anti-virus era.
The need for security evolved with the Internet as more companies developed internal and external networks. That was the network security era.
Now as companies leverage the power of the web, information security has evolved yet again: We are in the application security era. And as big companies get better at locking down their software and protecting their data, criminals are targeting the little guy. Ordinary citizens’ every day digital lives are at risk via infected web pages, instant messaging, phishing, Smartphone viruses, text message scams and now hackers are targeting Macs in a big way.
In the past 20 years, e-commerce and social media have taken over. The numbers behind the explosive growth of cybercrime are astounding. In a little over two decades, we’ve gone from less than 500 pieces of malware to over 55 million annually. Cybercrime has evolved from nothing to a multibillion-dollar industry.
In 1995, 8069 unique pieces of malware were detected. One out of 20 emails were spam, and the Melissa virus infected hundreds of thousands.
In 2000, 56,342 unique pieces of malware were detected, mostly on PCs, but some began spreading to Macs. Then smartphones got the Cabir virus. The “I Love You” worm slithered its way onto millions of PCs, and the MyDoom worm slowed down the entire Internet by 10%, resulting in loses totaling 38 billion dollars.
In 2005, 164,000 unique pieces of malware were detected, including the first virus for Mac OS X and another 83 mobile viruses. 57 million U.S. adults fell for phishing scams via 17,877 different spoof websites. 80% of all email was spam. The Conficker worm, Zeus Trojan, Koobface, Applescript.THT, Storm botnet, and Ikee iPhone virus all made their debuts this year.
By 2010, 54 million unique pieces of malware were spreading to tablets, too. More than 90% of all email was spam. 27% of teens infected their families’ PCs with viruses in 2010. Almost 420,000 phishing sites were discovered. OpinionSpy, Boonana, and MacDefender infected Macs. Hackers commandeered Skype’s instant messaging service to deliver malware. The Gemini and Zitmo Trojans gathered location data and stole financial transaction information.
But if that’s not enough. In 2010, more than three million malicious websites were created, any one of which could infect your computer.
The question is are you protected? Are you using some free download by an unknown company to protect yourself? Or do you have a comprehensive multi layer approach to digital security protecting all your devices?
By: Robert Siciliano
The need for security evolved with the Internet as more companies developed internal and external networks. That was the network security era.
Now as companies leverage the power of the web, information security has evolved yet again: We are in the application security era. And as big companies get better at locking down their software and protecting their data, criminals are targeting the little guy. Ordinary citizens’ every day digital lives are at risk via infected web pages, instant messaging, phishing, Smartphone viruses, text message scams and now hackers are targeting Macs in a big way.
In the past 20 years, e-commerce and social media have taken over. The numbers behind the explosive growth of cybercrime are astounding. In a little over two decades, we’ve gone from less than 500 pieces of malware to over 55 million annually. Cybercrime has evolved from nothing to a multibillion-dollar industry.
In 1995, 8069 unique pieces of malware were detected. One out of 20 emails were spam, and the Melissa virus infected hundreds of thousands.
In 2000, 56,342 unique pieces of malware were detected, mostly on PCs, but some began spreading to Macs. Then smartphones got the Cabir virus. The “I Love You” worm slithered its way onto millions of PCs, and the MyDoom worm slowed down the entire Internet by 10%, resulting in loses totaling 38 billion dollars.
In 2005, 164,000 unique pieces of malware were detected, including the first virus for Mac OS X and another 83 mobile viruses. 57 million U.S. adults fell for phishing scams via 17,877 different spoof websites. 80% of all email was spam. The Conficker worm, Zeus Trojan, Koobface, Applescript.THT, Storm botnet, and Ikee iPhone virus all made their debuts this year.
By 2010, 54 million unique pieces of malware were spreading to tablets, too. More than 90% of all email was spam. 27% of teens infected their families’ PCs with viruses in 2010. Almost 420,000 phishing sites were discovered. OpinionSpy, Boonana, and MacDefender infected Macs. Hackers commandeered Skype’s instant messaging service to deliver malware. The Gemini and Zitmo Trojans gathered location data and stole financial transaction information.
But if that’s not enough. In 2010, more than three million malicious websites were created, any one of which could infect your computer.
The question is are you protected? Are you using some free download by an unknown company to protect yourself? Or do you have a comprehensive multi layer approach to digital security protecting all your devices?
By: Robert Siciliano
Wednesday, October 5, 2011
The History of Malware
It doesn’t surprise me to learn that 90% of all email sent today is SPAM. I rarely have to check my email. I look at my kid’s inbox and it seems higher because they never even check their SPAM folder, let alone delete any of it!
However, the history of computer viruses and other malware really intrigues me. It fascinates me that someone even thought this stuff up as a way to get money. What started out as a smattering of 357 pieces of Malware has grown to 54 million unique pieces of Malware out on the interwebs and billions of dollars to clean up!
In order to visualize how this ever-growing problem affects you, I’d like you to take a look at the latest from McAfee. We have a video and an infographic that shows the history of Malware. I am sure that even those of you who consider yourselves tech novices will remember a few of the big ones such as “I Love You” and “Melissa”.
I hope that now you can see why I am constantly harping about having a comprehensive security suite on your computer. Believe it or not, it isn’t because I write a blog for McAfee – though of course I believe in their products. It is because I have fallen victim to many of these scams.
Perhaps you remember when I clicked on a bad link in Twitter and had my Twitter account hacked. I am also certainly one of the 27% who have had their kids download a virus onto the computer. It is an incredible inconvenience, can cost lots of money to fix and you can lose family photos and important documents in the wake. My heart still aches when I think of all the vacation photos that I lost because they weren’t backed up anywhere!
Perhaps now you understand why it is so important to protect all of your devices – pc’s, macs, tablets and smartphones. It’s like the “wild west” out on the interwebs!
Stay safe out there!
By: Tracy Mooney
However, the history of computer viruses and other malware really intrigues me. It fascinates me that someone even thought this stuff up as a way to get money. What started out as a smattering of 357 pieces of Malware has grown to 54 million unique pieces of Malware out on the interwebs and billions of dollars to clean up!
In order to visualize how this ever-growing problem affects you, I’d like you to take a look at the latest from McAfee. We have a video and an infographic that shows the history of Malware. I am sure that even those of you who consider yourselves tech novices will remember a few of the big ones such as “I Love You” and “Melissa”.
I hope that now you can see why I am constantly harping about having a comprehensive security suite on your computer. Believe it or not, it isn’t because I write a blog for McAfee – though of course I believe in their products. It is because I have fallen victim to many of these scams.
Perhaps you remember when I clicked on a bad link in Twitter and had my Twitter account hacked. I am also certainly one of the 27% who have had their kids download a virus onto the computer. It is an incredible inconvenience, can cost lots of money to fix and you can lose family photos and important documents in the wake. My heart still aches when I think of all the vacation photos that I lost because they weren’t backed up anywhere!
Perhaps now you understand why it is so important to protect all of your devices – pc’s, macs, tablets and smartphones. It’s like the “wild west” out on the interwebs!
Stay safe out there!
By: Tracy Mooney
Tuesday, October 4, 2011
What’s On the Spammers’ Menu This Holiday Season?
The holiday season is about to commence and spammers have resurfaced with new offers well in advance. We have already observed spam for Christmas and New Year in the month of September, not to mention spam for Halloween, which is fast approaching!
So, what’s on the spammers’ holiday menu? Well, there are virus e-cards, bogus meds, some interesting Internet gift offers with crazy discounts, and loans to help you celebrate a spammy whammy Christmas and to welcome the New Year! And don’t despair, because for Halloween you have the much coveted replica products! The list is definitely going to extend as the season comes closer. Discussed in detail below is the spammers’ vacation bonanza.
Here are some of the various spam subject lines being used for the upcoming holiday season:
Subject: Re: Happy new year!!!!
Subject: You have received a Christmas Greeting Card!
Subject: Rolex For You Now -85%
Subject: With our drugs you will never criticize yourself.
Subject: Cash for the New Year
Subject: Xmas Loan offer
Subject:ChcekkOutOurAasweomeWinieterDeals,DiscounttsAnddSpeciaalOfffersForTheNewwYYear
Subject: <removed> special starting at $299 - Schedule your free evaluation today
In the above sample, the attachment named Christmas Card.zip carries a worm that replicates over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down. Below are two samples promoting fake online pharmacies and other health-related products at discounted rates. These spam messages can steal users’ personal details including email addresses, bank details, etc. when the link provided in the message is clicked.
As the holiday season draws near, we advise users to take the utmost care while making online transactions. Make sure you are cautious when doing your Christmas shopping online. Beware of emails with malicious attachments, especially from unknown people who may want to compromise your security—don’t fall victim to spammers’ ploys!
By: Samir Patil
So, what’s on the spammers’ holiday menu? Well, there are virus e-cards, bogus meds, some interesting Internet gift offers with crazy discounts, and loans to help you celebrate a spammy whammy Christmas and to welcome the New Year! And don’t despair, because for Halloween you have the much coveted replica products! The list is definitely going to extend as the season comes closer. Discussed in detail below is the spammers’ vacation bonanza.
Here are some of the various spam subject lines being used for the upcoming holiday season:
Subject: Re: Happy new year!!!!
Subject: You have received a Christmas Greeting Card!
Subject: Rolex For You Now -85%
Subject: With our drugs you will never criticize yourself.
Subject: Cash for the New Year
Subject: Xmas Loan offer
Subject:ChcekkOutOurAasweomeWinieterDeals,DiscounttsAnddSpeciaalOfffersForTheNewwYYear
Subject: <removed> special starting at $299 - Schedule your free evaluation today
In the above sample, the attachment named Christmas Card.zip carries a worm that replicates over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down. Below are two samples promoting fake online pharmacies and other health-related products at discounted rates. These spam messages can steal users’ personal details including email addresses, bank details, etc. when the link provided in the message is clicked.
As the holiday season draws near, we advise users to take the utmost care while making online transactions. Make sure you are cautious when doing your Christmas shopping online. Beware of emails with malicious attachments, especially from unknown people who may want to compromise your security—don’t fall victim to spammers’ ploys!
By: Samir Patil
Monday, October 3, 2011
Phish Tastes Better Than Spam
Thanks to Shravan Shashikant and the Norton Confidential Online team for providing the data, and to Christopher Mendes for compiling it.
Does phish taste better than spam? Yes, perhaps it does. Allow me to explain.
The recent past has been one of the most volatile financial periods in history. World economies have reached a very critical stage—sovereign debt crises, bailouts, loan defaulters causing banks to shiver, sales shrinkages causing trade surplus, and bankruptcies. Add to all of this the fears of a double-dip economic recession theory making the rounds and it looks like a really dreadful picture.
But how does this affect the consumer from the point of view of email security? The consumer is the fulcrum point, the hinge of the story! All these negatives hits consumer spending in a very big way. The first wave of recession had definitely dented consumer confidence, and with the “Double Dip” theory lurking on the horizon it could be anybody’s guess. Logically, then, consumers felt their money was safer in the bank rather than in their wallet. The pangs of recession have definitely affected world economy and consumer spending.
This volatile economic state has perhaps impacted the strategy of email spammers in a very defining way as well, especially from the point of view of pushing additional spam mails. A paradigm shift is being observed from spam to phishing. Therefore, it is worth lending some thought to the modus operandi of spammers.
A major source of survival for spammers is consumer spending. With the recession eroding world economies, consumer spending has taken a major hit. Spammers, who thrived on luring consumers to spend money, have definitely been dealt a severe blow. After all, who is going to be lured by spammed products during tough financial circumstances? What logically follows in the worldview of a spammer is the money in your bank account rather than that in your purse. Or, in other words, spammers will shift to baiting consumers with phishing emails to try and steal banking credentials when they know their spam campaigns aren’t working.
To see if this argument holds weight, let’s look at the graph below, which explains how spamming and phishing have panned out from the time the last recession hit us. Perhaps the world economic scenario itself is reflected:
The spam trend lines show a gradual but decisive move from the time the last recession struck. There was a recovery that was not sustainable and then there was a gradual decline. But, the last twelve months have been decisive, during which world economies struggled to remain buoyant. This is also reflected in the spam and phish demography.
There is a clear divergence visible in the chart during this time: a steady fall in the volume of spam and a steady rise in the phishing volume. Of course, the spam volume is definitely huge as compared to the phishing volume. But, the movements are noteworthy, keeping the global financial status in mind.
Coincidentally, another major event that took place during this time (around mid-March 2011) was the forced shutdown of Rustock. This event also was a trigger for a drop in global spam volumes by one-third. However, the overall declining spam trend was seen way before this shutdown took place and can be traced from August 2010:
The average volume of phishing increased exponentially—by a whopping 49%—between August 2010 and August 2011, compared to the average phishing URL volume seen between February 2009 and July 2010. On the other hand, during the same time frame, the volume of spam fell drastically—by 42%. In other words, the point at which phishing began to rise is near to when financial jitters raised their ugly head and spam volumes dropped off.
Therefore, what people need to focus on during difficult financial times is not only protecting their wallets and purses, but also their credit cards and any money in the bank. Remember, in difficult times, phish tastes better than spam! We at Symantec are closely monitoring these ripple effects. We would like to remind you to keep your security products updated to stave off all such malicious advances from spammers who will just as easily don a phishing hat and try their luck hooking into your bank account.
By: Samir Patil
Does phish taste better than spam? Yes, perhaps it does. Allow me to explain.
The recent past has been one of the most volatile financial periods in history. World economies have reached a very critical stage—sovereign debt crises, bailouts, loan defaulters causing banks to shiver, sales shrinkages causing trade surplus, and bankruptcies. Add to all of this the fears of a double-dip economic recession theory making the rounds and it looks like a really dreadful picture.
But how does this affect the consumer from the point of view of email security? The consumer is the fulcrum point, the hinge of the story! All these negatives hits consumer spending in a very big way. The first wave of recession had definitely dented consumer confidence, and with the “Double Dip” theory lurking on the horizon it could be anybody’s guess. Logically, then, consumers felt their money was safer in the bank rather than in their wallet. The pangs of recession have definitely affected world economy and consumer spending.
This volatile economic state has perhaps impacted the strategy of email spammers in a very defining way as well, especially from the point of view of pushing additional spam mails. A paradigm shift is being observed from spam to phishing. Therefore, it is worth lending some thought to the modus operandi of spammers.
A major source of survival for spammers is consumer spending. With the recession eroding world economies, consumer spending has taken a major hit. Spammers, who thrived on luring consumers to spend money, have definitely been dealt a severe blow. After all, who is going to be lured by spammed products during tough financial circumstances? What logically follows in the worldview of a spammer is the money in your bank account rather than that in your purse. Or, in other words, spammers will shift to baiting consumers with phishing emails to try and steal banking credentials when they know their spam campaigns aren’t working.
To see if this argument holds weight, let’s look at the graph below, which explains how spamming and phishing have panned out from the time the last recession hit us. Perhaps the world economic scenario itself is reflected:
The spam trend lines show a gradual but decisive move from the time the last recession struck. There was a recovery that was not sustainable and then there was a gradual decline. But, the last twelve months have been decisive, during which world economies struggled to remain buoyant. This is also reflected in the spam and phish demography.
There is a clear divergence visible in the chart during this time: a steady fall in the volume of spam and a steady rise in the phishing volume. Of course, the spam volume is definitely huge as compared to the phishing volume. But, the movements are noteworthy, keeping the global financial status in mind.
Coincidentally, another major event that took place during this time (around mid-March 2011) was the forced shutdown of Rustock. This event also was a trigger for a drop in global spam volumes by one-third. However, the overall declining spam trend was seen way before this shutdown took place and can be traced from August 2010:
The average volume of phishing increased exponentially—by a whopping 49%—between August 2010 and August 2011, compared to the average phishing URL volume seen between February 2009 and July 2010. On the other hand, during the same time frame, the volume of spam fell drastically—by 42%. In other words, the point at which phishing began to rise is near to when financial jitters raised their ugly head and spam volumes dropped off.
Therefore, what people need to focus on during difficult financial times is not only protecting their wallets and purses, but also their credit cards and any money in the bank. Remember, in difficult times, phish tastes better than spam! We at Symantec are closely monitoring these ripple effects. We would like to remind you to keep your security products updated to stave off all such malicious advances from spammers who will just as easily don a phishing hat and try their luck hooking into your bank account.
By: Samir Patil
Subscribe to:
Posts (Atom)